" hipaa Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘hipaa’

HIPAA Law and HITECH/Omnibus Conformance – Small Medical Practice

Monday, August 14th, 2017

As the owner of a small to medium-sized medical business (a 1-19 physician practice, say, with 5-50 employees) you have many concerns – how to hire and retain competent staff, how to deal with your vendors such as office payroll, billing and collection services, and, above all, how to serve your patients’ needs in the most economical and expeditious way.  I.e., by speeding up scheduling, quickly accessing medical records, coordinating treatment with other doctors, etc. Time spent managing your information and communications infrastructure for HIPAA or HITECH compliance may not seem to be the most critical aspect of your work.

HIPAA / HITECH

However, the use of ICT – information and communications technologies –  in the healthcare industry has become increasingly pervasive and has special relevance for every medical practitioner, given the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which adds more substance to the original Health Insurance Portability and Accountability Act (HIPAA)  privacy and security rules.  HITECH also incentivizes medical practitioners to step up their use of electronic health records (EHR) to “exchange electronic health information with, and integrate such information from, other sources.”

Read the rest of this post »

Does my patient intake form need to be HIPAA compliant?

Wednesday, August 2nd, 2017

 

Our latest “Ask Erik” question involves questioning when web-based patient-intake forms need to be HIPAA compliant:

B.G. asks:

“Do we need to be HIPAA compliant if our intake forms have patient name, birthday, and address, but no social security number or other insurance information?”

The short answer is “YES“.

You need to be concerned about HIPAA compliance when you ask or send identifiable health information.  It is perhaps not surprising, but “identifiable” is a really broad concept.

Read the rest of this post »

Opt-In Email Encryption is Too Risky for HIPAA Compliance

Tuesday, July 11th, 2017

A majority of companies and hospitals that offer email encryption for HIPAA compliance allow senders to “opt in” to encryption on a message-by-message basis.  E.g., if the sender “does nothing special” then the email will be sent in the normal/insecure manner of email in general.  If the sender explicitly checks a box or adds some special content to the body or subject of the message, then it will be encrypted and HIPAA compliant.

Opt-in encryption is desirable because it is “easy” … end users don’t want any extra work and don’t want encryption requirements to bog them down, especially if many of their messages do not contain PHI.  It is “good for usability” and thus easy to sell.

Cybersecurity opt-in email encryption

However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule.  Opt-in encryption imposes a large amount of risk on an organization, which grows exponentially with the size of the organization.  Organizations are responsible for the mistakes and lapses of their employees; providing an encryption system where inattention can lead to a breach is something to be very wary of.

Read the rest of this post »

What makes an App HIPAA-Compliant?

Monday, July 10th, 2017

In the last ten or so years, apps have swept through the world alongside the smartphone boom. Smartphones enabled us to carry miniature computers everywhere we went, so we quickly began to integrate them into our everyday lives.

We stopped asking for directions and used the GPS app instead, we checked out the Yelp app when we wanted to find somewhere good to eat, and we kept track of our friends on Facebook from our mobiles.

People have become accustomed to using apps these days, which has put pressure on many organizations to conduct their services through them. If they don’t offer an app, they may lose customers to their more tech-savvy competitors. The health industry is no different, so apps have become an essential offering for many organizations.

Secure App

In some industries, developing apps may be relatively straightforward, but those that deal with PHI need to make sure that their app is HIPAA compliant. If your company’s app isn’t HIPAA compliant, it could result in heavy fines or a breach of patient data, which could seriously harm your business’s finances and its reputation.

To make a HIPAA-compliant app, privacy and security need to be consider at each step of development.

Read the rest of this post »

How Is HIPAA-Compliant Email Different from Secure Email?

Wednesday, June 21st, 2017

Protected health information (PHI) is heavily regulated under HIPAA, but the exact details can be confusing. The regulations are designed to keep everyone’s private information safe, but they also put a significant amount of responsibility on businesses.

HIPAA regulations apply to just about every aspect of a person’s medical information, including their transit, storage and security. Because email is such an important and extensively-used form of communication, HIPAA regulations apply to it as well.

HIPAA-compliant email vs secure email

Some may think that secure and encrypted email is all you need to keep PHI safe and emails compliant. The reality is that HIPAA email regulations go above and beyond standard secure email. To protect your business, you need to make sure that your email provider is HIPAA-compliant, not just secure.

Read the rest of this post »

HIPAA-Compliance eBook Series

Wednesday, May 31st, 2017

 

LUXSCI RELEASES FREE HIPAA-COMPLIANCE EBOOK SERIES

New series further explains secure email, texting, websites, web forms and email marketing.

BOSTON, MA – May 30, 2017 – LuxSci (www.luxsci.com), the HIPAA-compliant Internet and Email Security experts, have just released their 3-part eBook series on HIPAA-compliant communications, aimed at healthcare organizations in need of additional information to help them better understand the methods and technologies available for safeguarding their practice and protecting patient privacy.

In the first eBook, “HIPAA-Compliant Email Basics”, LuxSci discusses HIPAA and ePHI, the provisions of the HIPAA email security rule, risk analysis and the need for encryption, and take a closer look at Gmail and Google Apps.

The next eBook, “HIPAA-Compliant Website Basics”, defines what is required from HIPAA-compliant websites, website hosting, and web forms.

The final eBook, “HIPAA-Compliant Bulk Emailing Basics”, is a technical guide to email marketing and outlines best practices for list maintenance, large-scale sending strategies, IP reputation challenges, SPF and DKIM considerations, and HIPAA-compliance specifics.

Erik Kangas, Ph.D. and CEO of LuxSci says, “Online communications technologies are pervasive and they can really help a healthcare organization stay current and engaged.  Understanding the technologies, the risks, and the best practices are the first steps to getting started in a productive, compliant, and profitable direction.  These eBooks provide a great deal of guidance, enabling you to get started quickly.“

To download these free eBooks and find out how LuxSci can help with HIPAA compliance, click here.

How do I send HIPAA-compliant lab results via email?

Friday, May 5th, 2017

A question about HIPAA-compliant transactional email from Ask Erik:

As a non-technical member of the founding team of a Health Care Startup I have a question about HIPAA-compliant email as we begin to send out lab test results to individuals and the health care providers we partner with:

“Does one dedicated email address for results distribution that is HIPAA-compliant and secure make us in compliance. ”

We have team members who communicate with our DDS clinics but they don’t distribute test results. Only I will do that through a dedicated email address.   What do we have to do to be compliant from day one of distributing test results as part of our service to our customers (primarily dentists and oral surgeons)?

I was told by the service provider of our website and email hosting services that if we made the one email address a Business Premium account using the Microsoft Secure Server, that all the other regular email addresses would be covered as well. Is this true?

Thank you for the forum to ask real life scenario questions.

Lab results to email

Hello,

There are many aspects to your question.  Lets address each one in turn:

Read the rest of this post »

HIPAA-compliant Save and Resume for your Web forms

Wednesday, May 3rd, 2017

If you have a long or complex web form, users may wish to fill out only part of it and then save their work so that they can come back later and finish the form.  This is “Save and Resume” functionality.  While some form systems support Save and Resume, few provide HIPAA-compliant Save and Resume.

Form Save and Resume

What does HIPAA-compliant Save and Resume require?

For HIPAA-compliant Save and Resume, at a high level you need:

  1. The form data to be saved must be securely transmitted from the user’s browser to a server
  2. That data should be encrypted while stored
  3. That data must be securely transmitted back from the server when the user wants to resume editing the form
  4. Usually, the end user gets a link that can be used to resume editing the form where the s/he left off.  This link needs to be password protected or otherwise include authentication so that access to the sensitive form data is restricted.  HIPAA requires access control.
  5. Audit trail logs of saving and resuming form data should be kept.
  6. You need a HIPAA Business Associate Agreement with the service provider hosting the database where the form data is being saved.

The majority of Save and Resume functions provided by form service providers either (a) do not encrypt the data, (b) do not provide authentication for resuming the form, (d) do not keep any kind of logs, or (d) do not provide a HIPAA Business Associate Agreement for the data hosting servers.

Read the rest of this post »

Interview with Jim Simpson, Director of Product Management at Duo

Wednesday, April 26th, 2017

Back in 2011, LuxSci integrated Duo.com‘s advanced two-factor authentication into our WebMail service. Any LuxSci customer can use Duo.com to protect their WebMail, as well as their admin access to LuxSci. This all comes at no extra cost.

We even use Duo’s authentication ourselves. It’s great for administrative actions both at the server command line and through the web interface. An advanced two-factor authentication system such as Duo.com is excellent for enhancing a system’s security. It is a requirement for PCI compliance and can be helpful for HIPAA compliance as well.

Duo.com

The new Duo Access service is an innovative way to enforce corporate security policies, helping businesses to drastically cut their risks. Duo’s Jim Simpson has taken some time out of his schedule to answer some questions for us and discuss the details of their service.

Read the rest of this post »

Data Privacy Laws: How Does the US Stack Up Against the EU?

Wednesday, April 12th, 2017

by Josh Lake

As the media attention surrounding the repeal of the data privacy framework begins to calm down, now is the perfect time to examine where the USA stands with our current laws. As one of the most culturally and economically similar parts of the world, comparing our laws against Europe’s can provide a good frame of reference.

While the US government is focusing on stripping back red tape in a bid to kickstart business, the European Union has gone in the other direction and is stepping up its bureaucracy with the General Data Protection Regulation (GDPR). These new laws come into play in May 2018, so businesses are hard at work to make sure they will be compliant when the date swings around.

Read the rest of this post »